[154895] in North American Network Operators' Group
Re: using "reserved" IPv6 space
daemon@ATHENA.MIT.EDU (-Hammer-)
Mon Jul 16 12:11:02 2012
Date: Mon, 16 Jul 2012 11:09:28 -0500
From: -Hammer- <bhmccie@gmail.com>
To: Owen DeLong <owen@delong.com>
In-Reply-To: <7527FD11-0748-4DDD-B12A-F83913AE34BF@delong.com>
Cc: Brandon Ross <bross@pobox.com>, nanog@nanog.org,
"Robert E. Seastrom" <rs@seastrom.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Inline -
-Hammer-
"I was a normal American nerd"
-Jack Herer
1) (This one is currently a personal issue) I am still building up a true=
IPv6 skillset. Yes, I understand it for the most part but now is the tim=
e to apply it.
Frankly, IMHO, the best way to build up a truly useful IPv6 skill set is =
to start applying what you don't know and see what happens. For the most =
part, you will find that it is truly "96 more bits, no magic".
------- Completely agree. Been playing in GNS3 on the basics and we're st=
arting to play in a full lab soon.
> 2) All the reading you do doesn't prepare you for application and the v=
endors aren't necessarily helping. Feature parity across platforms and ve=
ndors beyond just "interface x/x/x" and "ipv6 address fe80:blah:blah::bab=
e:1" seems to seriously be lacking. When I try to take what I understand =
and apply it beyond the basics I often see hurdles. Example? HSRP IPv6 g=
lobal addressing on Cisco ASR platform. If it's working for you hit me of=
fline. Example2? Any vendor product beyond a router or switch. CheckPoint=
FW? F5 LB? Netscaler LB or AF? The WAN guys may be rolling deep in IPv6 =
but not everyone else. I just got an EA this morning from CheckPoint for =
NAT66. This should have been ready for prime time years ago. I guess the =
vendors weren't getting the push from the customers so there was no need =
to make an effort....
You probably meant 2001:db8:b1aa:b1aa::babe:1 (blah isn't hex and fe80::=
/10 is link local. 2001:db8::/16 is the example prefix)
------- I stand corrected. :)
For the most part, HSRP really isn't even necessary or useful in IPv6 =
since ND should take care of what HSRP did for IPv4.
------- On the WAN? Sure. On my Internet facing equipment? I disagree. RA=
s and ND and all that fun stuff needs to be suppressed.
=20
I believe F5 has rolled out IPv6 in a subset of their products and that=
you need pretty recent versions to get IPv6 functionality from them. The=
ARIN Wiki (http://www.getipv6.info) may be a good source of information =
on various vendor statuses. Contribute what you know/find out there as we=
ll, please.
------- Yes they have and NetScaler is running solid as well. My issues a=
re when you go beyond basic features of any product with IPv6 things get =
tricky. I need content switching with redirects and whatnot and based on =
the few efforts I've seen so far I'm not optimistic. Again, routers and s=
witches seem to be further ahead than other products. They all have their=
limits in advanced features. Back to my ASR comment.
=20
Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is bein=
g able to eliminate NAT. NAT was a necessary evil for IPv4 address conser=
vation. It has no good use in IPv6.
-------That is clearly a matter of opinion. NAT64 and NAT66 wouldn't be t=
here if there weren't enough customers asking for it. Are all the custome=
rs naive? I doubt it. They have their reasons. I agree with your "purist"=
definition and did not say I was using it. My point is that vendors are =
still rolling out baseline features even today.
> 3) When I'm not preoccupied attempting to digest the fundamentals I am =
well aware of the retooling of the brain that is required for this in a n=
etwork design. Last year I reached out to Team Cymru and attempted to bui=
ld an IPv6 router template to match their IPv4 template. It was a complet=
ely different animal. Ironically most of the STIGs and NSA reference garb=
age I used was ten years old but still applied. After going thru all thos=
e docs my brain hurt trying to orient my ACLs properly and go thru all th=
e different attributes you want to block where and when. Then I spent som=
e time trying to work our design schemas for our ARIN space with the WAN =
design team. What I'm trying to say is that Roberts comments are spot on.=
It is a very different way of thinking on a small scale and a large scal=
e and you can't take your IPv4 logic and apply it. I've tried and it's ju=
st slowing me down.
Yes and no. If you have been doing IPv4 long enough to remember pre-NAT I=
Pv4, then, you just need to remember some of the old ways of IPv4. If you=
have no recollection of IPv4 without NAT, then, you are correct, it is a=
huge paradigm shift to go back to the way the internet is supposed to ha=
ve been before we ran out of addresses.
------- This isn't specific to you Owen, but the group in general. I have=
been around for a while. Not as long as some others here. NAT is a featu=
re and it does have a place. Security. I'm sorry that this frustrates peo=
ple but security is a layered approach and it starts off simple. If you h=
ave a network that doesn't need exposure to the Internet or to someone el=
se you can get fancy with anything from a FW to control source and destin=
ation or AD controls so only the accounting team can get in. Sure. They a=
ll work. You can also NAT them. Make them invisible. Or null the traffic.=
The more fundamental the point of defense is the easier it is to underst=
and and sometimes the more difficult it becomes to bypass. Complex securi=
ty adds a greater potential for vulnerabilities. If you want to protect y=
our car stereo you could lock a cover over it right? But if you could, wo=
uldn't you also just lock the car doors when you leave it? I'm not going =
to tell you that NAT guarantees you anything. We all know nothing is fool=
proof. But it is a fundamental feature that works for that purpose. Do I =
plan on NATting our edge Internet traffic? No. Not for IPv6. Because the =
protocol was not designed for it. But have I ruled it out as an option fo=
r some environments? No.
Bring on the flames. I know this is going to get people stirred up. I pro=
mise not to ignore the thread....
=20
